Real Life Harms of Student Data
Moving Beyond the Hypothetical
Educational data can be beneficial — calling attention to disparities, informing interventions, and increasing the efficiency of educational processes.
So What’s the Trouble?
Advocacy groups, educators, and parents express concerns about potential future harms of student data collection. The Parent Coalition for Student Privacy summarizes fears expressed by privacy advocates: educational companies are taking students’ sensitive data and selling it to for-profit data-mining vendors and third parties. Yet it’s unclear how prevalent this practice is, what data is being shared, and what the consequences may be. Is the worry that data will be used for targeted advertising? Federal and state law protects against the sharing of educational data with third parties and prohibits the collection of student data for advertising purposes. Is the worry that data will be used to discriminate against students? There are also laws protecting against that, but the potential is real.
Looking at previous harms could be helpful for understanding future threats, but we still need to ask whether there are real, contemporary examples of harms occurring as a result of student data collection.
Overall, cases where student data has led to harms aren’t about data per se, but about the way that people interact with the data…
…accidental data leaks, data being hacked, data being lost, school officials using off-campus information for discipline, oversight in planning for data handling when companies are sold, and faulty data and data systems resulting in negative outcomes. Let’s break it down.
People Leaking Data
Proper technical security measures are useless if people are accidentally sharing student data. There have been multiple occasions of blunders that resulted in accidental breaches of student data. In the summer of 2015, Canadian school officials realized that an unencrypted hard drive containing 3.4 million records of students and teachers had been misplaced. In 2009, schools in Wake County, NC, sent out 15,000 postcards to parents without realizing that the students’ social security numbers were on the address labels of 5,000 of them. Four years later, an employee at Page High School in North Carolina accidentally sent a PDF containing the names, addresses, phone numbers, course enrollments, grades, identification numbers, and other transcript data of over 400 students to a student’s guardian who had requested information. The school district didn’t realize the error until the guardian noticed the file was sent by mistake and contacted the employee.
People Hacking Data
While a majority of public cases of data breach have been due to error, there are incidents when determined people hack the data. One common method of hacking is through phishing. A fake email is sent that leads an employee to log into a fake server. Once the employee has logged in, the hackers have an entry point into the system. The hacking incidents have sometimes been juvenile mischief reminiscent of the iconic scene in Ferris Bueller’s Day-Off in which Ferris hacked his school’s computer system and changed his records. In 2015, a trio of high school students in Long Island hacked their school’s computer system, changed grades, and altered schedules for about 300 students. The students were charged with burglary, eavesdropping, identity theft, and criminal solicitation, and the alterations were corrected. On the other hand, there have been hacks with more malicious intent in higher education. In February 2016, the University of Central Florida, located in Orlando, FL, revealed that 63,000 social security numbers and names for current and former students had been stolen by hackers. The university does not know how the hackers accessed the administrative systems, nor what the hackers intend to use the information for.
People Using Data for Surveillance
Hyper-surveillance of students is nothing new in schools serving primarily low-income students where metal detectors, ID swiping, and heavy security guard presence are the norm. With the increased availability and variety of student data has come school administrators who attempt to use it in ways that are creepy, for lack of a better word. The line is hazy between which data created by students qualify as “educational data” and which should be left alone. In 2015, Pearson came under fire for monitoring social media accounts in an attempt to identify students who might be leaking information about tests that the company administered. Pearson had used student data to identify which accounts to monitor. In 2012, a Missouri principal created a fake Facebook profile to monitor her high school students. After a recent graduate outed the principal as the creator of the profile, it was deleted and the principal resigned from her post. However, there have been several instances in which the monitoring of student’s social media outside of school hours has resulted in disciplinary actions within schools. In 2009, a student was coerced into giving a school employee her Facebook login and was later punished for the content the employee found.
People Designing Faulty Data Systems and Measures
Problems also arise at the level of the people designing the data systems and measures, which have resulted in faulty data and failed delivery of services. The occasions of erroneous data found in the news have been related to teacher ratings, but if the same errors occurred in measures of student performance, then the effect could be even more detrimental. In 2016, over 200 NYC educators received false ratings linked to student performance. The miscalculated ratings were corrected and did not jeopardize anyone’s employment, but the potential impact of this was played out in Washington, DC, when a teacher was fired due to an incorrect rating. Specifically for students, faulty data systems have been a barrier for receiving services. In 2016, a report released by the NYC Department of Education revealed that as a result of faulty data systems, up to 40 percent of students in NYC who had been recommended for special-education services might not have received them.
Now What?
The common thread across these incidents of harm has been human error.
Contrary to common fears, no incidents of targeted advertising towards students have been publicly reported. There have been instances in which school employees accidentally shared sensitive data, students and other outside actors hacked into school systems to tamper with data, school officials attempted to use off-campus activity to discipline students, and poorly designed data systems have negatively impacted both students and teachers. In the face of these very real harms, how should discussions of student data privacy pivot to address the human element, rather than focus on an as yet unrealized threat?
Points: “Real Life Harms of Student Data,” Mikaela Pitcan’s second Points original (the first, on equity, is here), argues that assessing real harms connected with student data forces us to acknowledge the mundane, human causes. What do we do now? (For starters, Data & Society’s Enabling Connected Learning initiative (ECL) has joined forces with the Berkman Center for Internet & Society’s Youth and Media team (whew, love all those words) to resurrect This Week in Student Privacy as Student Privacy, Equity, and Digital Literacy, a newsletter on student privacy developments plus! the equity and digital literacy dimensions of today’s learning ecosystems; subscribe! What’s more, ECL now has its own Medium publication.) — Ed.
Mikaela Pitcan is a doctoral student in Counseling Psychology at Fordham University and a research analyst in the Enabling Connected Learning initiative at Data & Society.
